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An instinct for growth 


Internal Audit progress report Audit budget update 
The purpose of this report is to advise the Audit Committee of our progress in 
planning and delivering the 2015-16 Internal Audit Plan. Finance Controls review: An additional 2 days were required to cover additional 


work requested by management. 


Progress to date Core Operations review: Revision to the scope of the review to incorporate and 


complete the questionnaire analysis and report back to management on feedback 


Since the Committee last met we have completed the review of Core financial from key customers of the ICO. An additional two days were agreed with 
controls, report summary included and Core Operations (post project Eagle) has 


completed the fieldwork and a draft (but not final) report has been issued to 
management. 


management. 


Reviews planned 


The final Internal Audit piece of work to be carried out is the follow up review 
scheduled for March 2016 and the completing the report on Core Operations (post 
project Eagle). 
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Status and progress of reviews 


Core financial controls 
The objective of the review was to establish that there were sufficient controls in 
place over the following areas: 


1 Purchase ledger (a new finance system called Great Plains had recently been 
implemented) 

2 Income recognition and processing — regarding Data Protection fees that are paid 
by cheque, card Direct Debit and BACS 

3 Segregation of duties and access rights on the finance system 


There were two main findings, both rated medium. The first finding related to user 
access rights to the MS Great Plains system were not appropriate, as each member 
of the Finance team is a designated super user with access to amend user profiles 
and to edit supplier details. As the system is now established at the ICO, a formal 
review of user access rights (including super users) should be undertaken to enforce 
segregation of duties and limit the abilities of individuals to process finance data. 


The second finding concerns the BACS payment file, which is generated as a text 
file, a check of bank details is done by a separate member of the Finance team. 
However this check is not documented, and once the check is complete the file is 
then returned to the same member of staff who generated the BACS file for upload 
into Bankline. We noted that the payment file is not locked down at any point, 
meaning there is a risk that supplier details can be amended prior to upload into 
Bankline. 


All recommendations have been agreed with management. 
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Core operations (post project Eagle) 

This Advisory review has involved conducting an online survey of ICO stakeholders, 
as identified with management. The survey closed in February and we are currently 
analysing the 15 responses, including narrative, to identify key findings and themes 
for collation into a report for discussion with ICO management. Our report will be 
presented to the audit committee in June 2016 


Page 2 


Progress 


New Finance 
System 
Benefits 
realisation 


Engagement with 
staff 


Recruitment 


Engagement with 
staff 


Performance 


Core operations 
(post Eagle) 


Core financial 
controls 


Follow Up 


The new finance system will be implemented by the start of the financial year. A post implementation 
review of the project would identify whether there are any lessons learnt for future projects and that 
the expected benefits have been realised. An expected benefit is improved budgeting through new 
functionality in the finance system. 


Establish how staff requirements are determined, the process to identify candidates, the selection 
process and preparing for new starters. This should ensure that recruitment is as efficient as possible 
and ensure vacancies are filled as soon as possible. 


Confirm that ICO has a formal performance appraisal process that considers training needs, 
development opportunities and identify staff with potential or conversely staff underperforming. An 
effective performance management process should ensure the ICO retains valuable staff and deals 
with poor performance effectively. 


Project Eagle was establish to review how ICO manages cases to ensure the process is efficient and 
allows the ICO to deal effectively with an expected increase in cases that will be reported to the ICO, 
but resources will remain static. This review will focus on the actual operations of case management 
from end to end — how the ICO actually delivers its core work and the key risks and controls in that 
delivery. 


A general review of the expected financial controls that ensure appropriate transparency and 
approvals are in place to ensure that the ICO manages financial transactions appropriately. The 
scope is likely to include such matters as delegated authorities and their limits, all purchases are 
supported by a purchase order which is matched to invoices, appropriate approval for each 
transaction is in place, any adjustments are appropriate and approved, with regular reporting and 
reconciliations in place to ensure management are fully briefed each month. It will also consider the 
month end process which takes into account the move to accrual accounting. 


Review of the arrangements to capture and implement audit recommendations in a timely manner. 


* Additional budget agreed with management 
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Q3 


Q2 


Q3 


Q2 


a4 


Q4 


10* 


10* 


Report issued / Complete 


Report issued / Complete 


Report issued / Complete 


Report issued / Complete 


Report issued / Complete 


Planning - not started 
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Status and progress of reviews 


Initial summary of assurance provided from 2015-16 Internal Audit Plan 


Recommendations Review findings inform annual opinion 
Review Area Review assessment 

H M L l Total Risk mgt Corp Gov Int. Control 
New Finance System - Benefits realisation 2 4 2 8 Y Y 
Engagement with staff - Recruitment 3 5 2 10 Y Y 
Engagement with staff - Performance 3 2 5 v Y 
Core operations -post Eagle (Advisory review) - - - - - Not applicable - - - 
Core financial controls 2 4 2 8 Y Y dl Table above provides 

a summary of the 


reviews undertaken and an indication that will form the basis of the overall opinion on internal controls, as part of the annual report. The Audit Committee can review the level of 
assurance provided and conclude whether this is adequate for their requirements. 
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